a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
Size

1.5MB
MD5

383ec168beb81bd3bccd73f9bbaef2dd
SHA1

6bd648c0fdee218d0a351d83aaaa17f02d2ed78f
SHA256

a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888
SHA512

5cde036dc76c3b2a80e1d3b1a761f54593d3bf2e8c8b18c8a211c6d86c2f7cb45f2eecb95103f985bd325e72eac2354ef3d3025d24968bc8050e8b9d0beed555
SSDEEP

24576:Dz2DWm8S+LbzQkWWbCzLLB+lMP1NFzSRY:q8FD5nb2LLPrFmRY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1700	alg.exe
952	DiagnosticsHub.StandardCollector.Service.exe
3628	fxssvc.exe
1348	elevation_service.exe
4984	elevation_service.exe
5020	maintenanceservice.exe
5072	msdtc.exe
3372	OSE.EXE
2728	PerceptionSimulationService.exe
3112	perfhost.exe
3620	locator.exe
4168	SensorDataService.exe
2904	snmptrap.exe
3664	spectrum.exe
4964	ssh-agent.exe
3668	TieringEngineService.exe
2244	AgentService.exe
4368	vds.exe
852	vssvc.exe
5060	wbengine.exe
2620	WmiApSrv.exe
3712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4de558454bebce60.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\System32\alg.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\System32\vds.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\locator.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cec79205b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d88c9705b0c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0380506b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9c6b105b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc4fbb05b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085459406b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c307d706b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8992606b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001662ed05b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
952	DiagnosticsHub.StandardCollector.Service.exe
952	DiagnosticsHub.StandardCollector.Service.exe
952	DiagnosticsHub.StandardCollector.Service.exe
952	DiagnosticsHub.StandardCollector.Service.exe
952	DiagnosticsHub.StandardCollector.Service.exe
952	DiagnosticsHub.StandardCollector.Service.exe
952	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3404	a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
Token: SeAuditPrivilege	3628	fxssvc.exe
Token: SeRestorePrivilege	3668	TieringEngineService.exe
Token: SeManageVolumePrivilege	3668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2244	AgentService.exe
Token: SeBackupPrivilege	852	vssvc.exe
Token: SeRestorePrivilege	852	vssvc.exe
Token: SeAuditPrivilege	852	vssvc.exe
Token: SeBackupPrivilege	5060	wbengine.exe
Token: SeRestorePrivilege	5060	wbengine.exe
Token: SeSecurityPrivilege	5060	wbengine.exe
Token: 33	3712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3712	SearchIndexer.exe
Token: SeDebugPrivilege	1700	alg.exe
Token: SeDebugPrivilege	1700	alg.exe
Token: SeDebugPrivilege	1700	alg.exe
Token: SeDebugPrivilege	952	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 980	3712	SearchIndexer.exe	111
PID 3712 wrote to memory of 980	3712	SearchIndexer.exe	111
PID 3712 wrote to memory of 4776	3712	SearchIndexer.exe	112
PID 3712 wrote to memory of 4776	3712	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe
"C:\Users\Admin\AppData\Local\Temp\a21f058e4df48bcb06524d9cc46484e94f52943911c8ebd0ceb5dba00cf9f888.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3460

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4984

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5072

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3372

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2728

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3664

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2084

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2620

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ac8080831267cfc22b3d2bebe1ad568b

SHA1
bf63ba3e5b3c38f832ee03b0424869917864a593

SHA256
71d208887a14483fe129fca50e60db7128e9742db6deb96cd10fdf6faa704f6e

SHA512
af3b3fbbc85a8462dcc078ecfb5535f40b22b9dfcb69925dda84524f384b38c1f201b15beeb020f77df56e3015eba9ccf95ccf1c43db925c057d3366d19d6b07

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
4311edc2d0be0ea6148beff00b61185b

SHA1
293a20139c41eba302663a1f519dbbc71003c04e

SHA256
038a384b94abcce15606a65ba21660d73c6ca492345ff2fd3dc798f051139cba

SHA512
697c07c1ec3934d5cac1d0dd018d1503b4014a79d668d32dd921f53a9565c461132e2fa5ee35db798285a527f5aafc3e3c2108ebf6bf6b70d462803b1a089aaf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
922a492851a3f5bc624dd5a0fceb6452

SHA1
06d4f6299e04c569d7298844229c65445edb1f20

SHA256
d08527bddf3896241738b4e031aca3470b58db1616bdcfe025265553553ed73d

SHA512
c4c8409a4c848664daf0a255c9038bb83d59595636628f7dd94b20149d937a33f2456398a3ad8cb2e3f24d5c870e2755ff11cd0a55d91639430f153a5017dd33

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c3aa37b38a29ba1eeb95c9883fac508e

SHA1
358986ec62ce0f708d022e8bdf87741fd6edb39a

SHA256
9642e8518ec9b43d76c491c0f1fae7e89931cf05b07c568d6e0de2535d1c047d

SHA512
6de52c219c11c50ab4c66f2d6a7d30a5e5608700dc2d01618978d0ca14b4f3e463c78145da25d616fe8dcee2cc0232219440abbd54cb9562b8dea415e94cfb86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7f4c4035a1017969c07a9715acdce7e1

SHA1
a49525eff25381393b6c5e0e1b06a922e2e928dd

SHA256
56e744ce937c8e9827dd60a75db18645f7e761259cb0c95dccfef770c12737a9

SHA512
70efbbbd3ce92209445928fac498e109c23c6ad424ce5863817eb8bc8cd1ad13595f49b10986ee65b4d12b0e40db6f431cb9ec9fb03c4a7b4402a2dbbca090fc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b3d28e741bda8ef83d606c9b1d675ef5

SHA1
9beefad86c9102a076d7373c7e0037cc91c7de22

SHA256
f3a25b45618353ea58121386e7e4f05edb5541de37d28fab6ba5d26137a75510

SHA512
c3c9cde2beb8e3d04482305f9e72b1d91972cdd8133177f9e74f3d8c0d0b2beebbbe60401639986b4c73fc8b39fa06f1808fc9d971748cd4d38efdbb60bc345f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
0112e286812571f16a6fcfc02743cfcb

SHA1
f93822cfbdf2b1abf389476c2d3da9c25fcf689c

SHA256
a7defe156df89d2bf2736edde5ca698bb4fa72748994d2f4ba30a17e1bf29df5

SHA512
f665eea2b0ae4f5cccc0a7eb2c192d915a5ccb5bfaf19b350f677fc934c025f7de5b7bcadcfcb2d50334b7ff766162965a0ef110f6e221747113f3ac8d84d9e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ef1e90c0e44b418ca55b8f1579f889be

SHA1
b5e91211145d26c363ecf58a25a0507fd5436ab2

SHA256
9712cfef7338f396b4bdc0aafc06f4dd91882805d6983d9d147248d52452d1ca

SHA512
95156c8d572e87a0d3834be92ebd7b855cdb2d40ae0f77d88d62bb5388e46353df1840c2feb40dcf2a75643cdd3363b4d58c42801dfe72f56050fe0324abd2b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
dec3dd4bdc2548e15bd2a5bbc257210c

SHA1
0aaa79e9777e1ae4f4cfe423dd2a02f7fe06f25a

SHA256
5de5488a1117e6d52879680940de47f6806284958dc7ca4cb276fe58a9b1b547

SHA512
922e7d47e268b290b35da7805b11c81ad3732f66789745fddb3af4ed2edbc9c425caf15294f6bd2a24ca9cffcf32ee9c5e330a973350b3c27021c7186834d3fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ca25ad62179cbd5b0b225b1e9722da80

SHA1
35d0ee8263d4afdce2499445a30f5eb66aa58228

SHA256
7d9140d1cf0722b4f4b6fdc994bad4c9b041d15dead97ab88f22cd7b4929ee9a

SHA512
6d054c03765d27fb25efe86e6c4635c0cc22f3d4e277ccfbee87b793a3de79ed3ea94f6ea2a2540aae96617af94c7e2268e33cb1b46fb6af71139ed45e3c3add

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a92a81ceee123fa75a2d1cfb69bd8bb8

SHA1
a164d6fc7aa36ef4cba5b6539a630040a4bb8e29

SHA256
750d4f6f49aa6f439176d5455265a10fc30f3b794c3cda7fad013935928b4c85

SHA512
a4dea5bb7323771d5fa6aba0f0846c17c2c60d0764411a5bad43dd79d51edfb0bf08525ecc10fd8e387f8eeb8f2aaf2ab5ea50e23c3fa9a24b3065ec353953c7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
83e0d3eb5877ec81c039b3d39c375b24

SHA1
0290a6282bc84c9c4e5808becfb5b94f8977053e

SHA256
fa573897ef8045ab531653b6b2b4750713e59e7c698e4c6fff56d0faea526df6

SHA512
e7afebd749d6100eea060f2b7188841081a3b4541ecf785e6fc79fe0955d950cbb199f039ebd606547ab29bd31714f260fb8412763a78d8807c3780b24af1431

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
09a1c5b5533a83a8c7dd71735dfec676

SHA1
31e6119cbb32cf45dbec17d1bdc0812f4e908ef2

SHA256
53b94c3848c78b025dfca5338e3b11f70a25a7c4b8e8d11a9eef7b1868ef4f8d

SHA512
625a3b70f5485aaf9d62f2bf18f9001212501c96746769c63c1325125cf917f68551db7fc2df184d0544dff913d0836adb7b44d24fdc6ce72641ca5b9fc2069a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
847e3c79010178d440a8c90b0fea878b

SHA1
1b5d936aa21dc7d561f4bb097d50c80eeae748b3

SHA256
28c400a3bc8aa385465a328f4ede18089f953751db929b90fa0728b88bd714c4

SHA512
1c71d4d3f7f8fb7677727ca7f40e5e8f284624e3a5ef6c86570e8eb262ee0c2727dfe7ec0d117176c2d3b9acb834ab7ee72a2d7373a74b51fe4231ff32a09ea4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f3e3ac3dcfd3e4765a341bdac6f1ac26

SHA1
f51e9b5c8be6e92e6b8539059980e13474c3e3d6

SHA256
a9c331f35887d374b9309847432a77784f3dd7b1853136096d540861088f8fcf

SHA512
bbca22c93416c9ce73bfc1932a896ec9eacf88720706d27f308dba33fe2953cefde7550d2f3f1fcd8dbe0d94e8d6ea28a22f67f7317a7a8ef46eac73738f909a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
40fe6394688368a80af55777ac96affb

SHA1
2d0db72d3696bfedb6bbbdc8cec950a2097d97e4

SHA256
90b602a7cafa9fcc88f600c3d0edd9698ea7fd5fbb7c9721c160b2747ac25803

SHA512
8f4d111a99befc6416e2a5afb12ece5b9414d16b46f645f973c3d85785be5dfa502c24ef52208f9c09e577607964484d50588c7831990b119941255d75c3b008

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
dd8a345d51fc252ae9e1de837d1052d9

SHA1
c50ffd054fc62f48f456449e9edba2293ca2d1ca

SHA256
c1788ebb500632593fc937e513839e5698c873276b589c7faee22c1ee0d3ea04

SHA512
f8bdef34c2c22c7ff06823f1ec828cdf7b2c3f0ac5be127fbd6d9feac344314e274473fee2f64ef63fd810d9fce463f17a2e3a699658f28ba4a55f551f3ad38e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
494f180bc265f6806d4c99d67999c4b5

SHA1
3a87c0a6d17531e4f32fa1649d6c6aedc2ebc7ea

SHA256
788c40ba6c6c7cf52fd88ffc751c274058c18c8b95638a026318d7f06e7ec717

SHA512
7be6a5567856792c47b86a58e8c599c91d40b02c3f82cfe399b721ca5d3a95ff5f47a71db7eeed72f243ceaa1e843fd739130e28ea6a6ffa641bd2d896a7569b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
120075605d7b70ef976166658689d230

SHA1
701e680110c585d5fedf308137dc6512fac7b3c4

SHA256
017cb6aa1864dd93dc3ebf63964d5b6f4a9313277035b32f05766da61ae21345

SHA512
ece30c44d9d091516d502c73fcf196642008793fb070e36656110d2659895c964de0c4da9fcca0f6515019db726c65795b00bf85f25c1966054d86b856411f4e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d1df0b9e987bb57cd7d03315a5df530b

SHA1
9f1fedae9171884d91c485bdd2600a049c59456b

SHA256
fa82cf42ad24d91ab4799e8f6b6205f9e79033c84bd593b47dcc420e142ca7a4

SHA512
a474aeb5ae247843a42d4d34d5f93cd4d3b38633b200154d5bf65fcdae3669b098f69a7b095f1b1fda728899ba0ed522eded808317730a67c3171c6c930198a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
42d342dc9d35a3708310052b4def0037

SHA1
18bd348ee109693d76ffb12e806f49a53468032a

SHA256
5ff67e13539109df37d5e6ca025180deb401fb7e60c71d24c6e57935bd809ddc

SHA512
1b9d92d4e8e888195afe9f2378c0cabf2427b6cbd3d1d95495679d131de65f199d8c1f4d6c6b04b33388638f14e28202776bdfa7af2770c10d527908cc46eef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
db366308a3e5eb0d72c5e98c40568d92

SHA1
f0ae07172cc29cde4815c38dc867ec5d42f60f06

SHA256
21dd78c410fec70e6b2d132300e31e564b481ee44d30fd697fc416abb047e172

SHA512
10270d929da4c34a403d15056e7b274779e81b9bcf353af81bec36aedf8f34ea144ed39bede211dd639da82a49bb271f8a104fc6aaca9c2bb0e3de1eb9d06413

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f6e7bf975ebcab369a8d89f56c2a81e4

SHA1
b422d81295cd77d5bfaa990bb1bcb0653b0c086b

SHA256
65e918d603b46c59df9e5eda4bc1dcd1b7c9b2a2a2c1eaf4e658e1a0bf25400c

SHA512
bdc75f4713d8d2cdc7c3c22243561f0466c4c5d6ff42b470e37ab7b40545ed33940512f20b81041b58353aedd3d8cf14b160c4a0c6bf27184df4798aeb9f019a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
cf62b8d2135ca871ba3c73272e05e455

SHA1
73c6fb4590173bb97a86aba7ee0cd670b1e44464

SHA256
9492c69775b51b46d8f470f11965e9aecc44a235161708e3129a5ee51df5ad49

SHA512
6b12d5cb5ceb41f2ee7ad55c3c31ade60fa34afa5f2e3e3d34e63c86fc6f094028cb8ca280b664b0bbf9b1154fb972368e4766f752199f6aedbd020264e63b70

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
fc578ed7bbe226233d1dea2e5f03ea98

SHA1
e8774b6e38baac406664d2cfee02cffb37cbb676

SHA256
4bc991248ea459888b1998d31e8440d61ccfb3c27868b9403509aa2bb0702916

SHA512
52f9133ea8930fecc695232daa89d0965d2bc2cd295f1d4373932ecdfcf4e4c68579f3651ff358c8750b654949dc151748ad83324a323b721b2ea2d186a99856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7708ff7d0ddf7f1a3af1cd857aa636ec

SHA1
d0c21f8bdc3d925e60e2384384b9af905144f14b

SHA256
ec7f79249e415e4b879f61eda2726d0db554e4cd5da3a5327dd7aa44b80badcb

SHA512
52e297e852579414dbfabc0b633e115120f47e0466aee598e64cc14f250155131761e2b59e18840e9a7b0150f001cb16853342b987001a4781f1e53a92dc4e87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
36e70ac16b4a73303745b452636811a6

SHA1
a515113c96e2467bb8e644060ed39bf78644514b

SHA256
5daa8f68571a039c8b3a799e2b73bca5f464a6d25b8f64735693e6f34b99bf1e

SHA512
162df1b89633ec5a521e8368b655fb9756f345c81b44a426b2b28c131d640d881d64aff67cc7afe7c11f7ac23660c005c89fc7b944100fe7622e42346778191a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
8118db21cb3a98284f87391f21099706

SHA1
b459122263510014852f12988fef4cae114f9978

SHA256
a60178cf33646ec713ec3720fdb0b0490067220c8a529588d6ed90fde7d98de2

SHA512
6f90afb50be296c3a8d3c5923f156c55ccb4dc9f2e67ed66edfdfa5a35b961ed66a9a6585ce6e783bc3a09a822ce52e531d108642cc3faefb46e92030e5514f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
53b1cd8edba5ea93119fa247f0455b91

SHA1
4111b771180eeb9fb436751d1dbeabbc912cc7c6

SHA256
f249c58d8579b337ee010c47430abe357107b13b1badec2377b56cb9481c2676

SHA512
b2239c39f269319c93c7afda59d8e112f4196991db9818bec8b6d7b3c0be1200851422153504dc83705ea0cd1259406f8472c322c1527f8eef67985e7f32fc59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
67bc349e6601b1cbca39699f5a3ad0e7

SHA1
8f294a12c20178df543646fed7e57a83df0e10e8

SHA256
a5b3b1dbb57e2e3183e1688a7821e0a3fa0efeac9af0c7b27ad70ac739fa023b

SHA512
34238c04787faf3f74dc40eb4a3663944603ddd71c5583ee881ec82e578f366eecf77c435a28ec66efc0454816c9a8a88fc6a86949ffceeafd4ab4cfa997f27e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
0f168fa9b1bf5a6623b47422afc790fb

SHA1
8434dcfb347dbb7fe51fe84652055c0c1fb3e772

SHA256
21140f751cea5694fc872ff7fb66f68756d799a63d4a2c7df992f9d72894aad7

SHA512
f3c0f89d2642628aed6cfce5310690b3d0f66507c74f13096d52bc76c431b5dfc42fbbd5738955f9e6edd79ccac7c462720963ad0bd5a5fa9677e6eeb6a14c0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6623add8064c78ab7398515284e01f42

SHA1
7613f53b0e8c485788a18f5bf2521d6a079ff13b

SHA256
a4c8e3c1077ef8417fe6109f71f73197b21ff5ec276539308f5eb4041a9488b1

SHA512
81be6c1f2f0e1dd83a83996320851e96822cb9e474949012ca1b7df4bdebef998efd00f47c9b7cb8e8e4ae35b333378d2008bf7517f9ffecaaa8f3fcb11a1dfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
330d7629e5aaa2ecbbf3d0a86f87043d

SHA1
86288b91ef8a7f232021193ea419b7b2c8e5a6e2

SHA256
7a12fbe3cc450563cb493d9d77311a9eb06941a066c182629711150acfa43f73

SHA512
5a4d67489fbbd4fca1c60fdcc5dd7343fabc83dadbd0b8b940a7ff01625d4d3526c145d8fd3132aa3ea8fa6df69a5c2a22b21fedea7488e7381e3475cd2cd27d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
21af7ce06aebb9f08246a4b30a84faab

SHA1
146fc0987d727425a2a31b9b3a2af3f5644ca85c

SHA256
020dd847365dc5ed039cb45561374dbe746847fa5967aff85a3ad469ed0ffcca

SHA512
652a3393404e38d73ee64117632190f4f41ab91cd5648ec80a92e99763eeea7d987480c0bb7c687cddfa874cf72746645207c1cd210db293323991085590d55f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
0b1105f316770bac06f82151447f075d

SHA1
413bcc8e2b312824fd7d4694563d1eb1ee24120b

SHA256
7bd3096610591ed44c3b867a8f389d982aa00dbbe70d10b26cf29f5e3609c34a

SHA512
8776a249028aaac54f1578464e5c01cb6b2364374a814e8e4e19c594a1657d52657ac2df66a7bbce0372cfeb47ac0ba3c37004076a305f22306c13082cab32a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
55a14f623c7a2edb1992a68e1e6deba4

SHA1
1d16c7e8e5b72214b0b5f0e81064275ba0c0bc2f

SHA256
60f8712c287bd587f75d942be70e5df10ae49e07b0550fe577c8c695ef6fa615

SHA512
f352d1b4a0f7f21db00b9b8c66d6e8ecf233348a26894ba3c7dc6fdbf76043cda1a2d66a1c44be9698241df42ea8c5947a964d2918bf5ab4598632153e0525be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
98c4eabdd7cf20b97299827f976fdcb4

SHA1
47fe127d63ee6da9c76f49f5594f7b6c6be0b441

SHA256
8bc98e9703bdb3682c878c99729bae988b0eef9b750d21c6e44653cc077a58f9

SHA512
bdc8b7b3d2d679edb40789faa00d146a22829ff5186a6f812ff3e6b5773a11d41198b59d47b6e2ba28146afe35d9bae29054c0031d0d635a518212b9fbf9cc5b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
00783bbd8482e99bf2a5c33738308a24

SHA1
61e6593dfd25756fb48b646149e000dca1f0416f

SHA256
b1f74d0322965e251762f6888e3b312181c31cf292bbfa00ea7087cf0e33d50b

SHA512
74727f0820b791b52e7fee5e3b83b414e814d3f7cc167274b4758b98812dea433db17bcda662fa0b36627fb4407a520fd57b7e0b5c553e75326b73ec71e25b67

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
43c2a03c44798aef62b1d8ceface26c9

SHA1
1ddfbcc7fa4dae0f27c1085e84fdb732bffcfcbc

SHA256
ba7b31a6cd51f2852e934a874860b0ab7af1b72351828678675e64e80ea53f9a

SHA512
a838ed50733b0d53cb4422ab116cb74a72e0e261f4b9142d45e5d7edc251b971fdd664aaf09b0c927b06b67ee31da8d60a22ae0cfbe353830eee4194e1cf9460

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4def70c787556a79a53ffae45826dc64

SHA1
602146f81a28e7b9e3653f63cc4ea7fd6f915edd

SHA256
1d885e7168ad58875aafe1106de66cf63fee5d563a4e3e8099cdb3e866af41c3

SHA512
5c0c0dde8f2d47d9246d6bcc64f8c91e9d6f599220bb5d8d81f443240d17e51b7364eb510c3461d910788b8a789399589de7d859dc91b146df46ed1a89f1d8ea

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c090e4103ea66fc357637f3abb590390

SHA1
db426b536c9203d8ed3527a7a12bc05c24b2cfd8

SHA256
a2454d33e4c940be053e490e5f23ee113d7729d0f7408c21163fa1e9e2ea7d5a

SHA512
10c7966c24918f4c85d3b5123dfbdd364e550d96f9c15fd805ecf6739711224ecaea4337cf40e89067b18bbcb55a8daa51d67d66e753a88153da25b8adf8f143

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
73983f2f8caa30525accc68f9c95d6b0

SHA1
185987a817a8e6ee76ef09c3ba4d9a2248c2ecc1

SHA256
7b7b0ee82cb1a547cc3022bd26156dd6e61fdec23376437b14b805f6fed3bac8

SHA512
a4d377b4d7914208aecfe1377abf415875da3f49ae9113479c289e35886c182b2bc3975012c8da0fbb9c5dc502fb07a2f58af6731a453ba70b3dc59f639ecf85

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
857f5652ea06615a20be48f8fd58b28d

SHA1
29b537e9780cabd429fdd0ff5e850d1b96417e89

SHA256
12108dbecaf89cdad5ebc637ef22602141f7bd68796507a52acdcdfb52d1d924

SHA512
2265e81c31fa3edf3f8a941f8eef6e8907eadf4ae4a6bef68c42ce7f6844a89e4b7e12df3fb33f765d3b1294534c2b6b6dd69c931b8004d1e6084267ee6746c5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
98c26b4c1b7a65501785d8d478c84c70

SHA1
ccd9cd36750928c0bfa29caf8677ae3dbd0cf45d

SHA256
f47139b2ea31839e13fe31da3761596c03895b72193f914233c86bcb47d7584e

SHA512
356e92ec755b21971300af60ff58c6d34e2507608820ec39a188b4cb84ad7d209183a7dbd92fe47872b5c70f617e546eee0e39476891b5420d4d2d97c521e8a9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
12a254659c8eab9f7407fc3b856dc244

SHA1
e9418b697e99e6b06264a5f4538603dc326e85d6

SHA256
d3367a6f873440d6d722a51caebade79ed84cc83bd1fdaaad8d4342a0c0b9f7d

SHA512
d7317fc7a75840412e8bf06c98dafc440b64925df6d71109f64c7f58f892e377a4f21a98721165b99c9302cd64279476fa8827996f8ac3218df6c62ac8776f9b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
369940a7f4bbc98716087ef43ffbf0e7

SHA1
c502040d2cbee6dba2a0a9d661403234260c200d

SHA256
4fddddc4aae9ed6dccec16e0bbff01ff921bab6d4ff1bcc26b05d5aab27b7727

SHA512
d6dc9976058a0c175f09ca8c987570033fc14ef29e865f6fd0b04a2b5808abbb9e575b8861dec112b0f01ebc21550e2e0d0b107969d121105026cc64a0292596

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
edd0f78b100e499f215b38a4b6759d73

SHA1
3e02a390ff8e98a798e8cb45918b3141ba8c6746

SHA256
e3c1700f055dd44eadb9bc055763fa0dc555581e6224fa8b96a0623cc34363b6

SHA512
665ba48fa5acff1fbd0f273b136375959392945dff39e8815e4ca92c630108c5975cf9cc1aeac3f9b6b8e7a92ab8ea8457886cd0ac4ef60a01235ced1ab16b4e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9d53902bc57a6c62fcf024778e826b20

SHA1
11af7be0ab301e2492b754a7d454c31325754ea8

SHA256
dc1a9941473aaa8e12289c416b7fd7a3e78c46b07a54138f3a6d5bf5b28082de

SHA512
d6d54a88fda6e78485dab35fe80c45e23ecb081234b06b616f5f3669720267d5f6e72f4189d9e24bf2e2178f04abc86e3011005bf9951e56d0c7ba4e518b9305

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
18346ae667becc0a671d4156304cb2ea

SHA1
b52b8e4707d3c4d69f72ce804385c11d0f789312

SHA256
f9a0eb03435c581204f65b67aad87101cdd4b09407e334a4aa13442e2a4b3b1f

SHA512
4f30c210c583ecc889b2c8ec7ecec8e4e365546fb2f6e42155710b6edb70b4e7ce2ffc60b02bbfc5195928eadb991052474bdc7da8f0ff04576a16ebbc7a98eb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
4cdfc4f275ab56da4b50dcd847124112

SHA1
58ec565850e9253f2858fadc33ba4b6f14ac622b

SHA256
4b3357dfd029e7ab01306dcb0d30e17711fcd1e9ffcd39e5f86711125c51b737

SHA512
068175bf27928e9d2d29630d4c828fc19632fc897dd3722108a77953512a805bc0a9ca254e7a26c59d357b5345b7dbb667855496622727e5f1a7a4fde5c53e4b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fc65a111a509db37f17ed17f5b35f41c

SHA1
c85bc98c77c5ed0ca16fbfd457f213282341161a

SHA256
1a1f382dd02d8c0489b18208ade24eb7927ec708d387c4791b2c2b9fe0b32cf1

SHA512
9b7e2d39b24fd793564fd74d3e286e163f3ecfd37ec8807671e5b92bb637377cd96858815e25f931d3d4354e43500b9a80fe085ec446131003b09e83fbeb54fe

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
309f760ba301b12173321b438c40aa58

SHA1
a29ab68e27c68c4114feac51faec2b84a40ba399

SHA256
99a38e934c771ff0fbe7041d3c8720bf478d3b5cfa43c862ca81bf1468418d2d

SHA512
2e1d3247478dfd973b36bb8548827178fbd4d891547e5f3686b24de54d01485e874b944c18ea34c84f719e8a7b5f59677577e55f1539e617f673b8ce04aafd24

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
2154939801d02166dd0db736a9cf7611

SHA1
22653795fd6c23bbba0c8f7cf36b60cd5d68e784

SHA256
66687d19d36c144cde81f93904288aaff2725e8c91c22a7d97b2dd2e2ce4cf13

SHA512
abd17d3394da81f6152d1377de274082050a972eb2979493514a5e1cdec693880d1e2a3263398778fda5e27583b5e3a19881118b985ec4c50eba9cd17ed167ac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a110cc57fa91a0d3dd6a889bc9bc0bbe

SHA1
0e1458dbe598539fa60eb5961c4824f7e79f4f62

SHA256
d82315d9c79b4f9594134fc57e9cac0f772e25499f505bf8b3294b691d87ab7d

SHA512
110ca6acba2004cfc0d44334223e30054df9b9368baa64e152b6a30f0b2a4bd35d79f7e8d12ac1e665b2d9ae947838ccd23d3ae7f8ecb7b980d30c95e7061a88

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
03ffa47b783fa6533606e830e48f22dc

SHA1
a0282f0805a334e39ae99c5bb0d00e925ba9d685

SHA256
41324a9e4f370592fd39de29cb81b2d39f5bfd53bfe206d2b9bd392868d3d6b2

SHA512
2777c9cefac1601ced8c8fae4785bf56be2056b879d8e3e117ba887f8c2ea4e7249b48f4a762f9a0ddef35ef061a2971aa45dc5b2273ec77fba90d16b5c7f9cf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4e322e50046fb690f82e3279ce55ca34

SHA1
824a8d68d982306b9b684f2b187b7e5f9cb17d79

SHA256
e13e079ead52bc09244a6e06e710ba164b184df1248719db8fcfbb47f8a4c8e8

SHA512
2f7d8a8089bbd314ca086ba66088d7cfe18fee099a3bf6bcc1dc25ce699c87ff66aadbea3160e38f3a9778fe2a0b10a95b6db22ba78f254850ded51d36962378

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a8f10d0ea45ea4bbe0d5f076bdbcb2b1

SHA1
ccce1d5e2985dcddb26ed9c14b292051bb62d49c

SHA256
ad0f96d9266ac371cdfa7b8bf53ce7fd9a2314e235f2dbfab8c1ff3119c35cc8

SHA512
11192b21702c9c5d83879b1039c7f867905f07b66a9f45763533ca32adfb6a51780143bdc768072a513a58833ac361f44143d712c33f93a7e77e6ab15fc61f39

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7cf08f77ec454c22f9bd116c8ac2003d

SHA1
69d207647724587e94d92a1e592f5b75bfa499ce

SHA256
2427c1236420ceec0b213407b61ba3e836f88aa70c9a54f7ef0cb2ce2c8dcd2d

SHA512
6746f6e4c95db27c1433d6c7950d6d04b4c26f34ac71647a3d6ea998b312ebf4f8dde5536d977c6470813cb27e43198bbd7aa3ffee626cb42c5ab2f33a2a7158

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ea421b39b293a67a3e25fff65b346722

SHA1
f2e08946c57e12ce9c3146a19b551e575f80a4b8

SHA256
ca6b0acfb6724855a0362bb36914fbc4b7c128e12963270ab7b4037c3102b284

SHA512
757d5229767369569cb733b85dd32e1f4ffb0d8f7030c8c05f770c2453d99411d9fcb20e878997d4fe4b56ed0d542389152f24ccf12c938616de86405702e5f2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
63fb51fba4374c136719017f50659c77

SHA1
17167d5e5849d18eaf89cf391b333a299a724508

SHA256
662832fafff4af8f7489be79c6b7b0804e4df787d411506536aac9650a38cd18

SHA512
d2e0b36f42b2f8328b1bed552c516a45dce54dfae62cd27fe797d00cfcbf7fd8e1b013f7a6f5c0ae8f82a12089567139afeb2e376f7d038237600226d53497d1

Download Submit
memory/852-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/852-653-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/952-26-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/952-27-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/952-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/952-184-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1348-207-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1348-49-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1348-55-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/1348-68-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1700-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1700-179-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1700-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1700-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2244-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2244-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2620-657-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2620-265-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2728-141-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2904-160-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2904-468-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3112-142-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3372-140-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3404-9-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3404-8-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3404-504-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3404-507-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3404-0-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/3404-137-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/3620-143-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3628-46-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3628-83-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-81-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3628-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3628-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3664-646-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3668-651-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3668-204-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3712-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3712-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4168-649-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4168-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4168-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4368-652-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4368-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4964-650-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4964-185-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4984-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4984-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4984-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4984-241-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5020-77-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5020-71-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5020-80-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5020-146-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5060-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5060-656-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-138-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5072-85-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download